FAQs
Digital signature
Digital signature
Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market is established as the common European reference framework in the EU.
Its objective is to strengthen confidence in electronic transactions in the internal market by providing a common basis for secure electronic interactions between citizens, businesses and public administrations.
Under this Regulation, the types of digital signature with full legal validity and their main requirements are established.
Through this official website you can find us as a Qualified Trusted Electronic Services Provider.
The advanced electronic signature is a type of digital signature included in the eIDAS Regulation that must meet a series of requirements:
- Be uniquely linked to the signatory.
- Allow identification of the signatory.
- Ensure the integrity of the signed document.
- Created using signature means under the signatory’s exclusive control.
There are two types of advanced electronic signature: biometric electronic signature and electronic signature with OTP code.
If you need more information, do not hesitate to contact us.
A signature with an OTP (One-Time Password) is a digital signature done by sending a single-use code (only valid to sign a specific document) with temporary validity to the signatory via SMS or email, depending on what is indicated when the signing process is created.
The qualified electronic signature is one of the signature levels included in the eIDAS Regulation that is performed with a digital certificate of qualified electronic signature, i.e., an electronic document that links the validation data of a signature with a natural or legal person, with a pair of keys, one public and one private.
“It contains the necessary information to sign electronically and identify its owner with his or her data: name, NIF, algorithm and signature keys, expiration date and issuing agency,” states the Government’s e-Government Portal.
This is the electronic signature with the highest level of security, as it complies with the provisions of Regulation (EU) No. 910/2014 (eIDAS Regulation). It enjoys presumption of legal validity, being legally equivalent to the handwritten signature. This means that, in the event of a dispute, it will be considered as valid evidence before a court of law without the need to provide any expert evidence.
The digital certificate is a certification or electronic document issued by a Certification Authority (such as the Fábrica Nacional de Moneda y Timbre, FNMT).
It links a person with a public key, confirms his or her identity and allows him or her to carry out online procedures, including digitally signing his or her documents.
The digital certificate is a certification or electronic document issued by a Certification Authority (FNMT). It links a person with a public key, confirms his or her identity and allows him or her to carry out online procedures, including digitally signing his or her documents.
The digital signature is a cryptographic mechanism that, when applied to an electronic document, allows the receiver to identify the signatory and know for certain that the document is the original and, therefore, has not been altered.
With the digital signature you will be able to sign digitally and legally without the need of having a digital certificate issued by the aforementioned authority.
If you have a digital certificate, you have one of the signature typologies included in the eIDAS Regulation, the qualified signature. But when signing documents with third parties, it is interesting to have a comprehensive digital signature solution that allows your company, your employees, customers and suppliers to sign digitally without having a certificate.
In short, if you have a comprehensive digital signature solution you will be able to:
- Continue using your own certificates
- Send to sign the documentation with third parties and have them return it to you signed without the need for a digital certificate.
The electronic signature applies to the entire document, not just to a specific page/s, so it is not necessary to make it visible on all pages. In fact, there is no legal criterion that establishes that a digital signature must be visible on the signed document for it to be valid.
Therefore, we can state that a digitally signed document is perfectly legal, even if it does not have a visible signature on all the pages of the document.
In view of the doubts generated in this regard, the public administration has tended to use CSV (secure verification codes). Basically, the original document without signatures is taken and this code is made visible on all pages of the document, also indicating the address where this code can be validated and checked against the signed document.
This version of the document is qualified as a true copy: it is not the original signed document, but allows access to it.
Is a digital signature legal? Docuten allows you to sign with different types of signatures. Below we describe the legality of each of the digital signature options we offer:
Assurance levels include qualified electronic signature and advanced electronic signature.
The legal validity of a digital signature is outlined by European Regulation (Nº910 /2014) on electronic signature (eIDAS) as well as other international standards. Under elDAS, the following levels of electronic or digital signature are laid out:
Qualified electronic signature
- Legally equivalent to a handwritten signature.
- Obtained through qualified certificates.
- Represents the highest level of electronic signature.
Advanced electronic Signature (equivalent to handwritten signature if it meets the below requirements)
- Uniquely linked to the signatory.
- Allows for the identification of the signatory.
- Created using means under the exclusive control of the signatory.
- Linked to data signed in such a way that any subsequent changes are detectable.
All of Docuten’s signature solutions fit into these signature classifications, and are thus legally valid and secure.
Centralised Signature (sign from anywhere): Legal Validity
The entry into force of the European Regulation (Nº910/2014) on electronic signature (eIDAS) has allowed for centralisation: electronic certificates are stored on the server and can be used from any computer or mobile device.
- The certificate remains in the sole custody of the signatory, and can only be accessed with the password with which it was encrypted.
- At the time of signing, a one-time code (OTP) is sent to the mobile phone or email of the signatory, and has to be used to complete the signature process.
- The certificate is kept on the server, and no additional components are necessary for its use.
With centralised signing (signing from anywhere), both qualified and non-qualified certificates can be used:
- Non-qualified certificates, issued by the digital signature platform. In this case, the signature would be an advanced electronic signature.
- Qualified certificates, issued by a “Qualified Certification Authority.” In this case, the signature would be a qualified electronic signature. This type of signature is only available through the Docuten Enterprise Plan. Contact us and we will clarify any questions you have regarding this plan.
Biometric Signature: Legal Validity
Docuten’s biometric signature solution allows you to sign documents with full legal validity from a mobile device, tablet, or smartphone for iOS and Android systems.
The signature is valid since the biometric data of the signature (speed in x, speed in y, acceleration in x, acceleration in y, angular accelerations, pressure variation / pseudo pressure, number of strokes, order of strokes, trace durations, etc.) are securely stored in the signed document.
Biometric data is encrypted with the public component of an encryption key. The private component is stored by the certification authority or notary that generated it, and only upon court request is this used to decrypt biometric information. Below you will find more information on the biometric signature.
Docuten’s biometric signature offers the highest level of security:
- The final encrypted and signed document can never be modified. If so, the hash and the digital signature would be altered, which would be indicated in the history of the document.
- The biometric data of the signature can only be accessed by those who have the private key of the master certificate.
- The time stamp that is included along with the biometric data certifies the exact moment of signing.
- The full original document to be signed is the one sent to the mobile device, not an image or part of the original document.
- The mobile device sends the signed document to the server with the biometric signature information encrypted and stored within the signed document itself, the original document and the signature are not bound outside the tablet. Regarding security, it is very important that this process is carried out on the device itself and that the document and the biometric signature are not separated since that could jeopardise access and safekeeping of the document’s signature.
- The platform is complemented by a forensic verification tool intended to be used by a handwriting expert in the event of a dispute regarding the signed document. Using this tool, the expert is able to discern whether or not the signature on the signed document belongs to the alleged signatory.
On-premise Signature: Legal Validity
On-premise signatures are carried out with qualified electronic certificates which offer the highest level of digital signature: the qualified electronic signature.
Electronic certificates can be generated using:
- Cryptographic cards.
- Software.
- USB tokens.
Docuten’s on-premise signature solution is compatible with all operating systems and browsers, and has been implemented using Java Web Start (replacing the old applets).
A biometric signature is a solution that allows you to sign documents with a handwritten signature on any mobile device (tablet, smartphone) with full legal validity.
The Docuten mobile application sends the signed document with the biometric data encrypted in the document itself, providing complete legal guarantees. This ensures the inalterability of the document since it’s impossible to modify it after signature.
The biometric data of a signature is made up of: speed in x, speed in y, acceleration in x, acceleration in y, angular accelerations, pressure variation, pseudo pressure, number of strokes, order of strokes, trace durations, etc.
Biometric data is encrypted in the application itself with the public component of an encryption key. The private component is stored by the certification authority or notary that generated it, and only upon court request is this used to decrypt the biometric information.
A timestamp is an online mechanism that demonstrates the existence of data from a specific moment in time, and that it has not been altered since then.
At Docuten, using a timestamp offers more security when signing digitally.
Since a timestamp shows that data has existed from a specific point in time (and has not been altered), it serves as reliable proof of when a document was signed, adding to the value of electronically signed documents.
All of the solutions offered by Docuten comply with the European eIDAS Regulation, along with other international regulations on digital signature. Feel free to contact us if you have further questions about our different digital signature options.
Among our digital signature services, Docuten supports using a centralised signature (that can sometimes be executed with a one-time password).
Centralised electronic signature involves centrally managing the electronic certificates used in an organisation so that the certificates operate from a single, controlled, secure repository.
Practically speaking, this means that electronic certificates are generated and stored on the server, and can used from any computer or mobile device.
Is a centralised signature legal?
Yes, with the entry into force of European Regulation No. 910/2014 on electronic signature (eIDAS), centralising keys is permitted.
Complete security is guaranteed since the certificate remains in the custody of the signatory and can only be accessed with the password with which it was encrypted.
At the time of signing, a one-time password (OTP) is sent to the signatory’s mobile device, which must be entered to complete the process.
What are the advantages to a centralised signature?
There are many advantages to using a centralised key:
- Device freedom: users will always have access to electronic certificates regardless of the computer or mobile device they use.
- Centralised control of permissions: you can limit the number of certificates to which a user has access, as well as the pages or services they can engage with.
- Monitoring and traceability: key centralisation allows you to monitor time and location, and two-factor authentication. In addition, it offers a record of all operations carried out with electronic certificates in an organisation.
- Fewer losses: you avoid losing certificates since they are not stored on the user’s machine.
- Revoked, expired or destroyed certificates: handling these issues is the responsibility of the organisation since the certificates are centralised.
Types of centralised signatures
With a centralised signature both qualified and non-qualified certificates can be used:
- Qualified certificates are issued by a qualified certification authority. In this case, the signature would be a qualified signature.
- Non-qualified certificates are issued by the electronic signature platform itself. In this case, the electronic signature would be an advanced electronic signature.
With Docuten it’s possible to use both formats, but to use qualified certificates you must have our Enterprise Service (contact us to clarify any questions you have about this plan).
Docuten’s digital signature solutions supports on-premise signatures. Meaning, our service enables you to sign on site.
An on-premise signature is done with an electronic certificate stored on the signatory’s own computer or device.
Is it legal to use the on-premise signature to sign on site?
Yes, the on-premise signature is the digital signature that has been used in Spain in recent years. It’s legal validity is outlined in European Regulation (No. 910/2014) on electronic signature (eIDAS) as well as in other international regulations (more information on the legality of the digital signature here).
What level of signature can be done with an on-premise signature?
With an on-premise signature, both qualified and non-qualified certificates can be used:
- Qualified certificates are issued by a qualified certification authority. In this case, the signature would be a qualified signature.
- Non-qualified certificates are issued by the electronic signature platform itself. In this case, the electronic signature would be an advanced electronic signature.
What are the characteristics of Docuten’s on-premise signature service?
Using Docuten you can sign with qualified (recognised) electronic certificates, which offer the highest level of signature: the qualified electronic signature.
The electronic certificates can be generated:
- in cryptographic card
- in software
- in USB token
The certificate is kept on the server, and no components are needed for its use.
Our on-premise signature solution is compatible with all operating systems and browsers, and is implemented using a java component that is installed on the signatory’s computer (replacing the old applets).
All of Docuten’s signature options comply with the European eIDAS Regulation. Feel free to contact us if you have further questions.n local de java que se instala en el ordenador del firmante (sustituyendo a los antiguos applets).
Docuten has all the types of signatures included in the eIDAS Regulation:
- Simple
- With OTP Code
- Certified in the cloud
- Biometrics
- Automatic
- With own certificate
Depending on your use case, we will recommend one type or another. Contact us so that we can advise you on the best solution for you..
Docuten is a Qualified Trust Service Provider (QTSP) in accordance with Regulation (EU) No. 910 / 2014 on electronic identification and trust services for electronic transactions (eIDAS).
This means that Docuten is recognized to provide, at European and, therefore, national level, the following services, from issuing digital certificates to electronic time stamps:
- Issuance of qualified electronic certificates of electronic signature.
- Issuance of qualified electronic certificates of electronic seal.
- Issuance of qualified electronic time stamps